Reducing maximum size of Mojo array<bool> to prevent integer overflow.

There's an integer overflow in ArrayDataTraits<bool> since the intermediate
calculation takes place with a uint32_t. Reducing kMaxNumElements slightly
prevents this overflow, and use of such large arrays would anyway have broken.

Also added a regression testcase into the fuzzer directory, and added in
support for the array<bool> type to the fuzzer.

Change-Id: Ieabe5a9abe7fa5ebd6a27cb810db63d47dc52473
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2003179Reviewed-by: Ken Rockot <rockot@google.com>
Reviewed-by: Chris Palmer <palmer@chromium.org>
Auto-Submit: Mark Brand <markbrand@google.com>
Commit-Queue: Mark Brand <markbrand@google.com>
Cr-Commit-Position: refs/heads/master@{#733986}

mojo/public/cpp/bindings/lib/array_internal.h

@@ -87,7 +87,8 @@ struct ArrayDataTraits<bool> {
   };
 
   // Because each element consumes only 1/8 byte.
-  static const uint32_t kMaxNumElements = std::numeric_limits<uint32_t>::max();
+  static const uint32_t kMaxNumElements =
+      std::numeric_limits<uint32_t>::max() - 7;
 
   using StorageType = uint8_t;
   using Ref = BitRef;

mojo/public/tools/fuzzers/fuzz.mojom

@@ -28,6 +28,7 @@ union FuzzUnion {
   float fuzz_float;
   double fuzz_double;
   string fuzz_string;
+  array<bool> fuzz_bool_array;
   array<int8> fuzz_primitive_array;
   array<FuzzDummyStruct> fuzz_struct_array;
   map<string, int8> fuzz_primitive_map;
@@ -52,6 +53,7 @@ struct FuzzStruct {
   double fuzz_double;
   string fuzz_string;
 
+  array<bool> fuzz_bool_array;
   array<int8> fuzz_primitive_array;
   map<string, int8> fuzz_primitive_map;
   map<string, array<string>> fuzz_array_map;

mojo/public/tools/fuzzers/mojo_fuzzer_message_dump.cc

@@ -110,6 +110,13 @@ auto GetComplexFuzzUnion(fuzz::mojom::FuzzUnionPtr in) {
   return union_complex;
 }
 
+/* Returns a populated value for FuzzStruct->fuzz_primitive_array. */
+auto GetFuzzStructBoolArrayValue() {
+  decltype(fuzz::mojom::FuzzStruct::fuzz_bool_array) bool_array;
+  bool_array = {true, true, false, false, true, true, false, true, false};
+  return bool_array;
+}
+
 /* Returns a populated value for FuzzStruct->fuzz_primitive_array. */
 auto GetFuzzStructPrimitiveArrayValue() {
   decltype(fuzz::mojom::FuzzStruct::fuzz_primitive_array) primitive_array;
@@ -187,6 +194,7 @@ fuzz::mojom::FuzzStructPtr GetPopulatedFuzzStruct() {
   auto union_complex = GetComplexFuzzUnion(std::move(union_bool));
 
   /* Prepare the nontrivial fields for the struct. */
+  auto fuzz_bool_array = GetFuzzStructBoolArrayValue();
   auto fuzz_primitive_array = GetFuzzStructPrimitiveArrayValue();
   auto fuzz_primitive_map = GetFuzzStructPrimitiveMapValue();
   auto fuzz_array_map = GetFuzzStructArrayMapValue();
@@ -212,6 +220,7 @@ fuzz::mojom::FuzzStructPtr GetPopulatedFuzzStruct() {
       1.0,                             /* fuzz_float */
       1.0,                             /* fuzz_double */
       "fuzz",                          /* fuzz_string */
+      std::move(fuzz_bool_array),      /* fuzz_bool_array */
       std::move(fuzz_primitive_array), /* fuzz_primitive_array */
       std::move(fuzz_primitive_map),   /* fuzz_primitive_map */
       std::move(fuzz_array_map),       /* fuzz_array_map */